Ten Most Important Actions HR Can Take in Response to Cyber Threats

by Yan Ross, ICFE Director of Special Projects

In today's world of growing identity theft and cyber attacks,
the Human Resources (HR) office of nearly every organization
needs to be an integral participant in developing and
implementing ways to avoid the adverse effects of these criminal
activities.

This article is focused on small businesses
and non-profit organizations, since there is evidence that
larger companies already have both the budget and awareness to
respond to cyber threats. Based on current reports, it appears
that many HR professionals are easily lulled into a false sense
of security, arising out of several common misconceptions.

If you can keep calm in the midst of a catastrophe, you
have probably found someone to blame it on.

Adopting and
implementing policies and procedures is an excellent place to
start. These rules of operation provide the basic instructions
and guidelines on running an effective and efficient
organization. Also, they are periodically reviewed and updated,
affording an excellent opportunity to include healthy cyber
practices, sometimes referred to as good "cyber hygiene."

Who are the organizational parties for HR to include in this
exercise? Starting at the top, the C-level executives 
Information Technology (either internal or outside contractors)
 Accounting and Finance Compliance and Audit Officers
(including outside accountants) All employees with access
to the IT systems

The TEN Actions

Initiate a
meeting with the relevant participants to review the current
cybersecurity process. Depending on the organization's structure
and dynamics, this may start with the next executive above HR or
other person in the chain of command. Be clear this exercise is
to support, not replace, the work done by the IT managers.
Prepare a draft agenda for this purpose.

Review the
current policies and procedures for the presence or absence of
information security and cybersecurity provisions. This exercise
is usually carried out best in cooperation with the IT managers,
in order to achieve the best coordination. Consider whether
there is a need to designate such additional personnel as
Privacy Officer, Data Protection Officer, or other appropriate
information security responsible party.

Determine whether
this exercise can be accomplished using internal resources or if
an outside facilitator may be preferable.

Restrict access
to individuals and devices necessary to conduct operationsa.
In conjunction with IT, establish the hierarchy of access for
employeesb. Restrict access by non-approved devices, such as
flash drives and "Bring Your Own Device" (BYOD) hardware

Establish an Employee Education Programa. Conduct "in
service" workshops using internal resources and other
professionals on such vulnerabilities as creating and
maintaining strong passwords, avoiding phishing schemes and
other social engineering attacks, and physical securityb.
Provide updates on cybersecurity issues on a regular schedule,
or as new threats come to lightc. Consider an offering an
employee benefit to assist with identity theft restoration, as
the organization loses time and resources when employees
experience identity theft

Review Legal Requirementsa.
Depending on the nature of the information collected and held by
the organization, determine the responsibilities to protect itb. Such data as financial and medical information may have
special requirementsc. There are federal and State
requirements, which may overlap or be inconsistentd. Pay
special attention to maintaining the Confidentiality, Integrity,
and Privacy of such data

Adopt and Implement a Recovery
Plana. Despite all efforts to manage this risk, breaches do
happen b. Establish a clear protocol to follow in the event
of a data breach, including assigning someone to manage the
breach and outlining what actions are needed to be takenc.
Prepare to comply with notification to affected parties,
according to the requirements of the relevant State
jurisdictionsd. Select a provider for remedial services in
advance of a breach

Update all Policies and Procedures
with special regard to the identified cybersecurity issues. a. For each issue, determine and assign responsibility to the
designated partyb. Include provisions to prevent employee
fraudc. Include a routine to follow to assure departing
employees no longer have accessd. Use this opportunity to
deal with all threats to confidential and proprietary
information, not just those vulnerable to cyber attack

Conduct a Risk Assessment Exercisea. Evaluate risks to the
confidentiality, integrity, and privacy of sensitive informationb. Establish an appropriate response to each riskc. Evaluate
the cost of responding to each identified riskd. Determine
whether certain risks are subject to risk-sharing, such as
insurance

Consider Cyber Insurancea. For most
organizations, other insurance coverage, such as general
liability, Director and Officer, or Errors and Omissions, do not
cover cyber eventsb. There are currently numerous insurance
carriers offering cyber coveragec. The underwriting process
to evaluate the scope of risk and liability can be valuable in
helping to manage the underlying risksd. Based on the type
and limits of coverage offered, and the premium cost, such cyber
insurance may be a good investment for the organization

When should these actions be taken? At the earliest
practicable time When new employees come to work, as part
of the onboarding process This includes contractors with
access to the system When employees leave, as part of the
exit process "Clean out your desk and return your keys" is
not enough This also includes contractors with access to
the system Periodically as cyber threats are identified, at
least once a year As other organizational participants may
require or changes are adopted in the organizational policies
and procedures

Implementing these ten actions will
provide the foundation for HR to participate in a substantial
step forward in responding to the threat of cyber attacks and
managing the risk of damage to the organization caused by this
growing challenge.

Yan
Ross is ICFE's Director of Special Projects, and the author of the
Certified Identity Theft Risk Management Specialist ® XV CITRMS®
course. As an accredited educator for over 20 years, he has addressed
Identity Theft Risk Assessment and management for consumers, organizations
holding personally identifiable information, and professionals who
work with individuals and organizations who are at risk of falling
victim to identity thieves.

The ICFE's Certified Identity
Theft Risk Management Specialist ® XV CITRMS® course is now available
both in printed format and online.

The Textbook and Desk
Reference edition of the course book is also available online. Bulk
pricing and discounts for veterans and students available. Inquire
at yan.ross@icfe.info

ICFE
eNEWS is available FREE upon request by visiting our Web site and
filling out the contact
form, and
selecting "Yes" for "Add to Mailing List.
Please pass this eNEWS on to your peers and interested others and
invite them to subscribe
for free.
Also, visit the ICFE's new Web site:StudentDebtHelp.org

About the ICFE:

The Institute of Consumer Financial Education (ICFE) was founded in 1982 by the late Loren Dunton (creator of the Certified Financial Planner (CFP) designation). The ICFE is dedicated to helping consumers of all ages to improve their spending, increase savings and use credit more wisely.
The ICFE is an award winning, nonprofit, consumer education organization that has helped millions of people through its education programs and Resources. It publishes the Do-It-Yourself Credit File correction Guide, which is updated annually. The ICFE has distributed over one million Credit/Debit Card Warning Labels and Credit/Debit Card Sleeves world wide.

The ICFE became an official partner with the Department of Defense/Financial Readiness Campaign in June of 2004.The ICFE was an active partner in the California Student Debt Resource Awareness Project (CASDRAP) which resulted in a new web site: (studentdebthelp.org). CASDRAP disbanded in 2010, shortly after the web site project was completed. In 2011 the ICFE assumed the single sponsorship of the (studentdebthelp.org) web site and is now responsible for its content and operation.

The ICFE is also an on-line help for consumers who spend too much. ICFE's spending help was featured in PARADE Magazine in the Intelligence Report section. The money helps and tips are from the ICFE's Money Instruction Book, our course in personal finance.

Visit the ICFE's other web sites at: www.financial-education-icfe.org and studentdebthelp.org. Both sites helps consumers and students with mending spending, learning about the proper use of credit, budget and expense guidelines, how to set up and implement a spending-plan and also how to access financial education courses and how to teach children about money. Other ICFE services include: Ask Mr. G, a free eNews, and an online resource center for students, parents and educators, plus financial education learning tools and a book store.